b'\x0c=n                              KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036~3389\n\n\n                                        MANAGEMENT LETTER\n\n\nNovember 14, 2011\n\n\nCONFIDENTIAL\nInspector General,\nand Administrator of the   U.S. Small Business Administration\nWe have audited the consolidated financial statements of the                          U.S.\n                                                                  Small Business Administration\n(SBA),as of September 30, 2011 and 2010, and for the years then ended, and have issued our report\nthereon dated November 14,      2011.\n                                   We conducted our audit in accordance with auditing standards\ngenerally accepted in the United States of America; the standards applicable to [mancial audits\ncontained in Government Auditing Standards, issued by the Comptroller General of the United States;\nand Office of Management and Budget (OMB)Bulletin No. 07-04, Audit Requirements for Federal\nFinancial Statements, as amended. In planning and performing our fiscal year 2011 audit, we\nconsidered the SBA\xe2\x80\x99s internal control over financial reporting (internal control) as a basis for\ndesigning our auditing procedures for the purpose of expressing our opinion on the financial\nstatements, but not for the purpose of expressing an opinion on the effectiveness of the SBA\xe2\x80\x99s internal\ncontrol. Accordingly, we do not express an opinion on the effectiveness ofthe SBA\xe2\x80\x99s internal control.\nDuring our audit, we noted certain matters involving intemal control and other operational matters that\nare presented for your consideration. These comments and recommendations, all of which have been\n\nresult in other operating efficiencies, and are summarized in Exhibit\ncomments is presented in Exhibit n.\n                                                                                             1.\ndiscussed with the appropriate members of management, are intended to improve intemal control or\n                                                                             The status of prior year\n\nIn addition, we identified certain deficiencies in intemal control that we consider to be a significant\ndeficiency, and communicated them in our Independent Auditors\xe2\x80\x99 Report dated November 14,          2011.\nOur audit procedures are designed primarily to enable us to form an opinion on the financial\nstatements, and therefore may not bring to light all weaknesses in policies or procedures that may exist.\nWe aim, however, to use our knowledge of the SBA\xe2\x80\x99s organization gained during our work to make\ncomments and suggestions that we hope will be useful to you.\nWe would be pleased to discuss these comments and recommendations with you at any time.\nTins communication is intended solely for the information and use of the Office of Inspector General,\nOMB,the Govemment Accountability Office, the                      U.S,\n                                                       Congress, and SBA management, and is not\nintended to be and should not be used by anyone other than these specified parties.\nVery truly yours,\n\n KPtt\xe2\x80\x99(Gs- Let>\n                                 KPMG LLP Is a Delaware limited jiabllity parlm~rshlp,\n                                 the U.S. member firm of KPMG International Cooperative\n                                 ("KPMG In!ernaUonaf). a\n                                                       Swiss entity.\n\x0c                                                                                                Exhibit I\n                           U.S. SMALL BUSINESS ADMINISTRATION\n                                    Management Letter Comments\n                                             FY 2011\n\nNONCOMPLIANCE WITH THE DEBT COLLECTION IMPROVEMENTACT OF 1996\n\nIn our Independent Auditors\xe2\x80\x99 Report dated November 14, 2011,we reported noncompliance with the Debt\nCollection lmprovement Act of 1996 (DClA)in sunnnarized fonn. For purposes of tracking the status of\nmanagement\xe2\x80\x99s actions in the SBA\xe2\x80\x99s audit follow-up system,we provide the following detail.\n\nOur testwork over compliance with the DC1A covered the U.S. Small Business Administration\xe2\x80\x99s (SBA)\nloans that were charged-off between April 1,2010 and August 31,   2011.\n                                                                      While performing our testwork,\nwe identified the following instances of noncompliance with the DClA:\n\n   .   The SBA did not refer at least 504 delinquent Disaster Assistance program loans to the\n       Department of Treasury (Treasury)for cross-servicing and offset at time of charge-off. The SBA\n                                                                                                     U.S.\n       sent due-process notices to some,bnt not all, of the obligors advising them that their indebtedness\n       would be sent to the Treasnry for collection.\n\n   .   Also, the SBA did not refer more than 5,000 eligible CO-bOlTowers and guarantors (whosigned the\n       Loan Anthorization Agreement for Disaster Assistance, 504/CDC,and 7(a) loans) to the Treasnry\n       for cross-servicing and offset.\n\nCertllin charged-off loans, co-borrowers, and guarantors were not referred to the Treasnry for cross-\nservicing and offset during the period of review due to systemic problems with the legacy mainftame\nsystem. Specifically, certain outdated system edits in the SBA\xe2\x80\x99s referral protocol prevented certain loans\nin charged-off status from being transferred to the Treasnry for collection. Also, progrannners in the\nOffice ofthe Chief Infonnation Officer (OCIO)modified the COBOL code (referral protocol), but did not\ntest the program changes during the development phase prior to rolling the changes out to prodnction.\n\nWe noted that during the fourth quarter of Fiscal Year (FY)2011, staff in the OCIO took actions to\naddress the weaknesses addressed as causes above. These actions include: performing some analyses of\nloans in charged-off status; identifying and removing a system edit from the referral protocol; and\ncorrecting errors in the COBOL code that prevented certain charged-off loans, co-borrowers, and\nguarantors from being referred to the Treasury.\nBecause these loans were not timely referred to the Treasnry for servicing, the SBA is not compliant with\nthe DClA. Also, the lack of a founal change management process poses the risk of uncontrolled and\nunauthorized system changes being made which will compromise the integrity of the data maintained and\ntransmitted to the Treasnry. According to staff in the OC10, these loans total, at a minimum, $226\nmillion in outstanding unpaid principal balance. In addition, the likelihood ofthe Treasury\xe2\x80\x99s full recovery\nor collection on this debt decreases as the debt ages. Finally, the SBA\xe2\x80\x99s reporting of debts on the Report\nof Receivables Due for the Public (direct and insured loans) and the Report on Guarantied Loan\n(guarantied loans)may be understated or misleading.\n\n\n\n\n                                                                                                            1\n\x0c                                                                                                Exhibit I\n                             U.S. SMALL BUSINESS ADMINISTRATION\n                                      Management Letter Comments\n                                              FY 2011\n\nWe recommend the ChiefInformation Officer:\n1.   Issue reminders to staff that all program changes follow the SBA\xe2\x80\x99s change management process to\n     include policies and/or procedures for documentation retention such as testing evidence and change\n     approvals prior to development and implementation of the change to production.\n2. Continue to conduct in-depth analyses of the existing referral protocol to identify and correct program\n   coding that is preventing charged-off loans ftom being automatically transferred to the Treasury.\n\n3. Review and update the SBA\xe2\x80\x99s referral protocol to ensure that qualifying loans with executed due\n     process notices are automatically transferred to the Treasury.\n\n4. Continue to perform an analysis of loans charged-off in prior years to identify and correct the issues\n   noted above.\n\n5. Continue to coordinate with staff in the Treasury\xe2\x80\x99s Debt Management Services to develop useful\n   reports that can be used to reconcile charged-off loans and associated borrowers, co-borrowers, and\n   guarantors to ensme the timely collection ofindebtedness on the SBA\xe2\x80\x99s delinquent loan inventory.\n\nWe also recommend the Office of Portfolio Management Director work with the Office of Financial\nProgram Operations (OFPO)Director to:\n6. Implement robust, quarterly monitoring reviews to identify all charged-off loans where the automatic\n   referral did not occur.\n\n7. Review the list of co-borrowers and guarantors who were not referred prior to the referral protocol\n   corrections and refer individuals to the Treasury, as appropriate.\n\nManagement\xe2\x80\x99s Response:\nThe SBA\xe2\x80\x99s management concurs with the findings and recommendations.\n\nINADEQUATE REVIEW OF THE REQUIRED SUPPLEMENTARY STEWARDSHIP\nINFORMATION\n\n The Financial Statement Workbook is an Excel workbook that is prograrnmed to receive a data extract\n ftom the General Ledger and compile it into the four principal financial statements, footnotes, and other\n related disclosures. During our testwork over the SBA\xe2\x80\x99s Required Supplementary Stewardship\n Information as of June 30, 2011 presented as part of the financial statements Other Accompanying\n Information (OAl), we noted that the FY 2011 Stewardship Investments in Human Capital balances\n related to Small Business Development Centers, SCORE, Women\xe2\x80\x99s Business Centers, and All Other\n Training and Assistance Programs did not agree to the Financial Statement Workbook.\n\n\n\n                                                                                                            2\n\x0c                                                                                               Exhibit I\n                           U.S. SMALL BUSINESS ADMINISTRATION\n                                    Management Letter Comments\n                                            FY2011\n\n\nThe Office of the Chief Financial Officer\xe2\x80\x99s (OCFO)Financial Reporting Division updated the Financial\nStatement Workbook; however, this update was not communicated to the quality assurance or financial\nassurance teams subsequent to their approval and sign-off. As a result the SBA\xe2\x80\x99s Stewardship Investments\nin Human Capital balances are overstated by $465,654, which could result in a misstatement of the overall\npresentation ofthe financial statements.\n\nWe recommend the Chief Financial Officer (CFO):\n8. Reinforce the need for each team in the OCFO to sign-off on the requisite checklists once the final\n   review of financial data is complete, as well as the need to timely coordinate and communicate\n   subsequent changes that affect the Financial Statement Workbook and the Word version of the ON to\n   the other teams.\n\n9. Develop and docnment policies and procedures for the Word versions of the OAI presented in the\n   financial statements to ensure these sections are accurate and in agreement with the final version of\n   the Financial Statement Workbook.\n\nManagement\xe2\x80\x99s Response:\n\nThe SBA\xe2\x80\x99s management concurs with the finding and recommendations.\n\nIMPROVEMENTISNEEDED IN THE OPEN OBLIGATIONS REVIEW PROCESS\n\nUndelivered orders (UDO)represent the value of goods and services ordered that have not been received.\nIf orders have been filled or are no longer needed, the SBA should deobligate any outstanding obligation\nbalances so that funds can be used for other purposes. During our testwork of the SBA\xe2\x80\x99s UDO review\nprocess, we noted the following:\n    .   As of September 30, 2011 we identified 49 of 6,841 UDO balances, recorded in Oracle totaling\n        $623,077, that were no longer valid because the SBA program office certified that the balances\n        were not needed and should have been deobligated, or because the goods or services had been\n        received.\n\n    .   The OCFO does not have a CUllent Standard Operating Procedure (SOP)that delegates specific\n        responsibilities for closing UDOs and deobligating fnnds in Oracle. For example, we noted\n        inadequate documentation, in the form of a CUllent SOP, of commnnication between the Denver\n        Finance Center (which has responsibility to ensure deobligation of UDOs in Oracle) and the\n        Office of Planning and Budget (OPB)(which has the overall responsibility of reviewing the final\n        UDO balance).\n\n\n\n\n                                                                                                           3\n\x0c                                                                                               Exhibit I\n                           U.S. SMALL BUSINESS ADMINISTRATION\n                                    Management Letter Comments\n                                            FY2011\n\n\nThe OCFO\xe2\x80\x99s formal policies and procedures for final closure ofUDOs do not adequately specifY program\noffice responsibilities to ensure that expired UDO balances, reported by the SBA program offices, are\ntimely closed out or deobligated in Oracle. These deficiencies increase the risk of misstated UDO\nbalances reported in the SBA\xe2\x80\x99s Statement ofBudgetary Resources.\n\nWe recommend the CFO enhance existing internal control over the quarterly UDO review process to\ninclude the fol1owing:\n10. Develop a current SOP to include specific evaluation and timely close-out procedures for UDOs.\n    This SOP should include the specific titles ofthe personnel who are delegated these responsibilities.\nII. Ensure that obligated funds are promptly deobligated when those funds are no longer needed.\n12. Perform an analysis to examine potential open UDOs at fiscal year end to identifY UDO balances that\n    should be closed out and deobligated (e.g., develop an aging of contracts that is reviewed by OPB at\n    year end to detennine if contracts are still valid based on the terms of contracts and program office\n    certifications).\n\nManagement\xe2\x80\x99s Response:\n\nThe SBA\xe2\x80\x99s management concurs with the first condition and the recommendations. The SBA\xe2\x80\x99s\nmanagement does not concur with the second condition as exemplified in their response below:\n"On February 8, 2011, the SBA issued a Procedural Notice to all SBA employees outlining procedures\nand specific responsibilities for closing UDOs and de-obligating funds in Oracle. A copy of this\nProcedural Notice was supplied to KPMG during the walkthrough. As demonstratedfrom this Procedural\nNotice, the periodic UDO assessment is integrated in the agency\xe2\x80\x99s operation and is continuously\nmonitored by management. Both the Denver Finance Center and Office ofPlanning and Budget have\nbeen working together effectively to improve the UDO process each year. Evidence of this improved\ncommunication was provided to KPMG as a follow up to the initial walkihrough but has not been\nacknowledged in this NFR. A point of contact has been established in both offices; therefore,\ncommunication and information continues to flow. The points ofcontacts correspond via e-mall and/or\ntelephone prior to the UDO scheduled review, during the review andfollowing the reviewfor the status of\neach UDO close notification. The Office of the Chief Financial Officer, which includes the Denver\nFinance Center and the Office ofPlanning and Budget, takes the role and responsibility for the periodic\nreview, analysis and close out of UDO \xe2\x80\x99s very seriously. The UDO review process is included as part of\n                                                                                  "\nthe regular assigned duties ofdelegated staffin the Office ofPlanning and Budget.\n\n\n\n\n                                                                                                           4\n\x0c                                                                                               Exhibit I\n                           U.S. SMALL BUSINESS ADMINISTRATION\n                                    Management Letter Comments\n                                               FY2011\n\nKPMG\xe2\x80\x99s Response:\nKPMG has read the SBA\xe2\x80\x99s response and has made an editorial change; other than that change, we\nconsider our finding to be appropriate as presented. We note that the Procedural Notice mentioned above\ndoes document procednres associated with the closure of UDO\xe2\x80\x99s; however, we continne to recommend\nthat a current SOP be developed to enhance controls over the closure ofUDO\xe2\x80\x99s.\n\n\nCONTROLS NEEDED FOR VENDOR FILE MAINTENANCE\n\nA vendor master file is essential for an accounts payable operation. Typically, a vendor master file\ncontains contact, tax, and contract information for each vendor. As part of our FY 2011 audit testwork,\nwe noted that controls surrounding vendor files needs improvement. For instance, we noted that\nmanagement does not have adequate procedures to periodically review their vendor files and determine\nwhich vendors should be inactive. Specifically, we noted the following:\n\n   .   SBA designates vendors as "active" or "inactive" through use of the vendor status field in Oracle.\n       Of 55,006 vendors maintained in the vendor master data, only 20,222 (37%)were designated as\n       "active" status, while the remaining 34,784 (63%) were designated as "inactive" status.\n       Furthermore, there were 15,441 active vendors did not have any activity (payments) over an 8\n       month period (from October I"2010 to May 31" 2011).\n   .   Additionally, 309 vendors, 237 of those vendors being "active", had an incomplete address\n       maintained iJj the vendor master data file.\n\nThese conditions exist because the OCFO has not established comprehensive procedures, written or\notherwise, addressing key control areas of vendor file maintenance and monitoring. Without well\nestablished procedures and controls over the vendor master file data, errors or inappropriate use ofmaster\nfile data may go undetected, and excessive and inaccurate vendor master file records could lead to\nduplicate payments, unpaid invoices, and fraud.\n\nWe recommend the CFO:\n13. Develop and implement a vendor maintenance SOP for routine vendor maintenance that includes the\n    review, inactivation, archiving and/or purging of vendor master records at predetermined intervals.\n    This SOP should include regular reports on activity, conullunication with vendors, procedures for\n    vendor additions and deletions, and routine cleansing of old or duplicate entries.\n\nManagement\xe2\x80\x99s Response:\nThe SBA\xe2\x80\x99s management concurs with the findings and recommendations.\n\n\n\n\n                                                                                                           5\n\x0c                                                                                             Exhibit I\n                          U.S. SMALL BUSINESS ADMINISTRATION\n                                    Management Letter Comments\n                                            FY 2011\n\nUNTIMELY FOLLOW-UP ON LENDER OVERSIGHT CORRECTIVE ACTIONS\n\nDuring our review ofthe SBA\xe2\x80\x99s Office of Lender Oversight activities for its 7(a) loan program, we found\nthe Office of Credit Risk Management (OCRM)did not adequately follow-up with nine lenders assessed\nas "Less than Acceptable with Corrective Actions Required" as a result of the OCRM\xe2\x80\x99s risk-based, on-\nsite reviews:\n\n   .   OCRM officials did not timely follow-up with two lenders who were nonresponsive to findings\n       reported in February 2011.\n   .    OCRM officials did not maintain documentation to support its deteTI1lnation that seven lenders\xe2\x80\x99\n        corrective action plans were responsive to its recommendations or whether OCRM is monitoring\n        these lenders\xe2\x80\x99 progress to remediate findings identified during the reviews.\n\nDuring FY 2011, the OCRM encountered staffing issues (to include attrition) which attributed to a\nbacklog of on-site review reports and untimely follow-up with lenders regarding findings in the on-site\nreview reports. hl Jnne 2011, the newly appointed Acting Director of OCRM planned to hire additional\nstaff and utilize those resources to alleviate the backlog of on-site review reports. The OCRM Acting\nDirector also noted that the OCRM will resume its communications with lenders as the backlog is\ndiminished. Because the operations, knowledge of prudent lending practices, and/or application of the\nSBA\xe2\x80\x99s requirements and judgment for these nine lenders is questionable, these lenders may lack the\ncontinuing ability to make and manage their portfolio which poses a financial risk to the SBA for nearly\n$600 million in loans it gnaranties.\n\nWe recommend the Associate Administrator for Capital Access:\n\n14. Perform a review of the backlog to identify all open recommendations and weaknesses that were\n    identified during the OCRM on-site, risk-based reviews.\n\n 15. Reallocate and utilize staff to prioritize the review of open recommendations and weaknesses to\n     ensure that lenders (to include the nine noted above have submitted viable corrective action plans)\n     have submitted viable corrective action plans. If not, consider other remedial actions to bring all\n     lenders in compliance with the SBA\xe2\x80\x99s requirements.\n\n Management\xe2\x80\x99s Response:\n The SBA\xe2\x80\x99s management concurs with the findings and recommendations. The SBA notes that\n snbseqnent to June, 2011 OCRM hired additional staff and was successfnl in eliminating a backlog of 54\n on-site lisk-based reviews by September 27,   2011.   OCRM resumed its communications with lenders\n regarding corrective actions required ofthe reviewed lenders at that point.\n\n\n\n\n                                                                                                         6\n\x0c                                                                                                 Exhibit I\n                           U.S. SMALL BUSINESS ADMINISTRATION\n                                     Management Letter Comments\n                                                FY2011\n\n\nINADEQUATE CONTROLS OVER THE 1502 ERROR PROCESS\n\nDuring the FY 2010 audit we determined that a deficiency existed in Colson\xe2\x80\x99s 1502 reporting process for\nthe SBA\xe2\x80\x99s 7(a) loan program. We reported there was no reconciliation between Colson and the SBA\xe2\x80\x99s\nerror populations which caused a backlog of errors that were not timely remediated. In FY 2010, the\nSBA\xe2\x80\x99s management determined that those errors did not have a material impact on the financial\nstatements. Specifically, Colson ideutified 27,924 errors in its Lender Exception Report dated April,\n2010, while the SBA identified 48,040 errors for that same period. The lack of reconciliation between the\nerror populations was a result of discrepancies in edit checks programmed in the systems that Colson and\nthe SBA use to process 7(a) loan data. We discussed this deficiency with the SBA\xe2\x80\x99s management while\nconducting our FY 2011 audit procedures. Management asserted to us that Colson identified 27,684\nerrors in its Lender Exception Report dated April 2011, while the SBA identified 43,552 errors for that\nsame period. The SBA\xe2\x80\x99s management agreed that corrective action to remediate this deficiency was not\ntaken.\n\nAccording to the SBA staff, the discrepancy with the error count is the result of two different sets of edit\nchecks or "business rules" that are programmed in Colson and the SBA\xe2\x80\x99s systems. The SBA has\nattempted to work with Colson on aligning these business rules but due to conflicting priorities at Colson\nand the SBA, this issue has not been resolved. Because Colson\xe2\x80\x99s edit checks for processing 1502 loan\ndata are not aligned with the SBA\xe2\x80\x99s system edits, all 1502 errors considered relevant by the SBA are not\nreported by Colson or subsequently corrected. Consequently, the notes receivable balance, guaranty\nliability, and their related disclosures in the SBA\xe2\x80\x99s financial statements may be misstated.\nWe recommend the:\n\n16. OFA Director work with Colson to implement consistent system edit checks.\n 17. OFA Director and the, Office of Infonnation Systems Support Director establish a cross-functional\n    team to develop and implement a con\xe2\x80\x99ective action plan that outlines clear milestones with a time\n    table of results that can be directly quantified by a reduction in the 1502 error rate.\n\n 18. OCFO\xe2\x80\x99s Office of Financial Analysis and Modeling Director perform a detailed analysis of the\n     potential impact ofthe backlog of errors that were not remediated timely.\n\n Management\xe2\x80\x99s Response:\n\n The SBA\xe2\x80\x99s management concurs with the findings and recommendations.\n\n\n\n\n                                                                                                             7\n\x0c\x0c\x0c\x0c\x0c                                                                                               Exhibit I\n                           U.S. SMALL BUSINESS ADMINISTRATION\n                                    Management Letter Comments\n                                            FY 2011\n\nINADEQUATEREVIEW OFSTAR TIME AND ATTENDANCE REPORTS\n\nDuring our testwork over a sample of 90 System for Time and Attendance Reporting (STAR)Time and\nAttendance (T&A)Reports, we noted the following deficiencies:\n   .   Five STAR T&A Reports were signed and dated after the payroll disbursement occurred.\n   .   Thirteen STAR T&A Reports lacked the employee\xe2\x80\x99s timekeeper and/or supervisor signature and\n       date evidencing proper review and certification.\n\nThese deficiencies are indicative of a lack of supervisor and timekeeper reviews of STAR T&A Reports,\nas well as the accountability of hours incurred and charged by their employees. When a STAR T&A\nReport lacks the required signatures by an employee\xe2\x80\x99s timekeeper and/or supervisor, there is no evidence\nthat an employee\xe2\x80\x99s hours worked are accurate, which could result in a misstatement in the payroll expense\nreported in the SBA\xe2\x80\x99s financial statements.\n\nWe recommend the Chief Human Capital Officer:\n30. Continue to reinforce policies and procedures regarding the certification of STAR T&A Reports with\n    supervisors and timekeepers (i.e., issuance of a memorandum, training).\n\n31. certifying\n    Perform periodic quality assurance reviews to ensure supervisors and timekeepers\n               and dating all STAR T&A Reports.\n                                                                                            are properly\n\n\nManagement\xe2\x80\x99s Response:\nThe SBA\xe2\x80\x99s management concurs with the findings and recommendations.\n\nIMPROVEMENTNEEDED IN THE EMPLOYEE SEPARATION PROCESS\n\nDuring our review of intemal control over the employee separation process, we reviewed the Official\nPersonnel File for 30 employees, who had left the SBA, for evidence of a completed SBA Form 78,\nSeparation Checklist (Checklist), SF 50, Notification of Personnel Action, and related payroll\ntransactions.\n\nWhile the SBA continues to show improve nent over its human resource processes, our review showed\nthat out of the 30 Checklists we reviewed, 26 Checklists were not completed in accordance with the\ninstructions. The employees\xe2\x80\x99 supervisor and/or approving official did not realize the Checklists were\nincomplete during their final review and certification of the Checklist.                   For example,\nsignatures/clearances were not obtained to confillli the retum oflaptop computers, travel cards, telephone\ncalling cards, identificationlfascards, office keys, and virtual private network tokens.\nSignatures/clearances were also not obtained to ensure that LAN accounts and e-mail account access were\n\n                                                                                                       12\n\x0c                                                                                              Exhibit I\n                           U.S. SMALL BUSINESS ADMINISTRATION\n                                    Management Letter Comments\n                                            FY 2011\n\ndeactivated prior to employees leaving the SBA. We did not identify deficiencies related to the SF-50 or\nrelated payroll transactions.\n\n   .   Adequate quality assurance reviews were not performed by responsible personnel in the Office of\n       Human Capital Management and management officials in the SBA\xe2\x80\x99s program offices to ensure\n       that Checklists were completed during the separation process. Without proper completion of the\n       Checklist, the SBA lacks controls ensuring that property assigned to employees is returned to the\n       SBA.\n   .   Also, by not securing all required clearances prior to an employee leaving the SBA, an\n       employee\xe2\x80\x99s access to the SBA\xe2\x80\x99s automated systems may not be timely terminated which poses a\n       risk of vulnerabilities to the SBA\xe2\x80\x99s Information Technology general control environment.\n\nWe recommend the Chief Human Capital Officer:\n\n32. Continue to work with and provide training for the SBA\xe2\x80\x99s management personnel to reinforce the\n    importance ofproperly and fully completing the Checklist.\n\n33. Establish policies and procedures that require specific roles for the OHCM personnel to perform\n    quality assurance reviews to ensure that all required fields on the Checklist are completed prior to\n    their sign-off.\n\nManagement\xe2\x80\x99s Response:\nThe SBA\xe2\x80\x99s management concurs with the findings and recommendations.\n\n\n\n\n                                                                                                      13\n\x0c                                                                                                  Exhibit II\n                                  U.S. Small Business Administration\n                                      Status of Prior Year Comments\n                                                  FY2011\n\n\n          Fiscal Year 2010 Comments                                Fiscal Year 2011 Status\n               Management Letter\nLack ofEffective Reviews over Open Obligations      Revised and repeated in Exhibit 1, page 3, under the\n                                                    fol1owing heading:\n                                                        .   Improvement is Needed in the Open\n                                                            Obligations Review Process\nInsufficie.nt Documentation and Untimely            Revised and repeated in Exhibit 1, page 3,under the\nDeobligation of Undelivered Orders                  fol1owing heading:\n                                                        .   Improvement is Needed in the Open\n                                                            Obligations Review Process\nLack of Documentation for Employee Cost             Resolved\nAl1ocation Surveys\nInadequate Controls over the 1502 Error Process     Revised and repeated in Exhibit 1, page 6,under the\n                                                    following heading:\n                                                        .   Inadequate Controls over the 1502 Error\n                                                            Process\nNoncompliance with the Debt Col1ection               Revised and repeated in Exhibit 1,page 1, under the\nImprovement Act of 1996 (DCIA)                       fol1owing heading:\n                                                        .   Noncompliance with the DCIA of1996\nInconsistent Review of Charged-off Loans in          Resolved\nWorkout Status\nNoncompliance with SOP 50 52 Loan Liquidation        Resolved\n                      -\nand Acquired Property Untimely Guaranty\nCharge-offs\nLack of Approving Official Review at Time of         Revised and repeated in Exhibit 1, page 7,under the\nGuaranty Loan Charge-off                             fol1owing heading:\n                                                        .   Inadequate Reviews ofCharge-oift and\n                                                            Guaranty Loan Purchases\nNoncompliance with SOP 50 51 2A,Loan                 Revised and repeated in Exhibit 1, page 8,under the\n                                  -\nLiquidation and Acquired Property Missing            fol1owing heading:\nDocumentation within Loan Files\n                                                        .    Missing Loan Documentation\n                                                                                                           1\n\x0c                                                                                                  Exhibit II\n                                  U.S. Small Business Administration\n                                      Status ofPrior Year Comments\n                                                  FY 2011\nImproper Payment - Incorrect Amount ofInterest       Revised and repeated in Exhibit 1, page 10 under the\nPaid at Time of Guaranty Purchase                    following heading:\n                                                        .    Improper Payment - Incorrect Amount Paid at\n                                                             Time ofthe Loan Guaranty Purchase\n\nImproper Payment - Incorrect Billing to Lenders at   Revised and repeated in Exhibit 1, page 10,under the\nCharge-off                                           following heading:\n                                                        .    Improper Payment - Incorrect Amount Paid at\n                                                             Time ofthe Loan Guaranty Purchase\nLack of Segregation of Duties in the Sacramento      Resolved\nLoan Processing F oxPro System\nImprovement Needed in the 7(a)Lender Oversight       Revised and repeated in Exhibit I, page 5,under the\nProcess                                              following heading:\n                                                        .    Untimely Follow-up on Lender Oversight\n                                                             Corrective Actions\n\nImprovement Needed in the Duplication of Benefits Resolved\nProcess\nImprovement Needed over Time and Attendance          Revised and repeated in Exhibit 1, page 11,under the\n(T&A)Payroll Controls                                following heading:\n                                                         .   Inadequate Review ofSTAR Time and\n                                                             Attendance Reports\nhnprovement Needed to Ensure Standard Operating Resolved\nProcedures are Current\nhnprovement Needed in the Employee Separation        Revised and repeated in Exhibit 1, page 12,under the\nProcess                                              following heading:\n                                                         .   Improvement Needed in the Employee\n                                                             Separation Process\nLack of Control over the Retention of Delegation of Resolved\nAuthority and Line of Succession Memoranda\n\n\n\n\n                                                                                                            2\n\x0c'